Giant Internet Explorer Patch in August Patch Tuesday

Microsoft fixed 37 vulnerabilities in Internet Explorer and in supported versions of Windows as part of its August Patch Tuesday release.

Microsoft fixed 37 vulnerabilities in Internet Explorer and in supported versions of Windows as part of its August Patch Tuesday release.

There were nine security bulletins for August, of which two were rated as critical, according to Microsoft's advisory. The cumulative update for all supported versions of Internet Explorer fixed 26 bugs, including one that was publicly disclosed at Black Hat, and should be considered as the highest priority. Of the 26, a privilege escalation bug was already being exploited in the wild, Microsoft said. The flaw disclosed at Black Hat is also a privilege escalation flaw and could allow an attacker to bypass the application sandbox.

"This constant slew of critical Internet Explorer vulnerabilities is yet another reminder of the importance of implementing least-privilege to make sure that if a user is exploited with one of these vulnerabilities the attacker will not simply be handed Administrator rights," said Marc Maiffret, CTO of BeyondTrust.

It's also important to remember that many of these issues are likely present in Internet Explorer on Windows XP, and would have been patched, had Microsoft still supported the old operating system, said Ross Barrett, senior manager of security engineering at Rapid7.

People Still Use Windows Media Center? The second critical update of the month fixed one flaw in Windows Media Center, but affects only the Professional/Ultimate/Enterprise editions for Windows 7 and 8/8.1, and the "Media Center TV Pack" for Windows Vista. A successful exploit would require the user to open a specially crafted Microsoft Office file that invokes Windows Media Center resources, and result in remote code execution. The attacker would gain the same privileges as the user.

"This is not a true remote, but rather yet another attack where a user must be coerced into opening a malicious file," Barrett said.

Issues in SQL Server The SQL Server patch fixed an issue which, if exploited, could result in a denial-of-service on all support versions. The elevation of privilege bug is not rated as critical because it requires some degree of authentication to exploit, "but given the potential for that to happen in any number of circumstances this will no doubt be an important issue to administrators to address," Barrett said.

The cross-site scripting flaw in SQL Server patch can be exploited "to take any action a user could take on a site on behalf of the targeted user," Maiffret said. The XSS filter on Internet Explorer versions 8 through 11 can prevents this attack, so users should enable the filter on both the Internet as well as the Intranet zones.

Time to Remove Admin Rights The remaining seven bulletins fixed issues in various other Microsoft technologies, including kernel mode drivers, the .NET Framework, OneNote, Windows Installer, and SharePoint. Most of them are elevation of privilege flaws.

Elevation of privilege vulnerabilities can be mitigated by reducing the privilege level of the logged on user to the lowest privilege level possible, said Chris Goettl, a product manager at Shavlik. "Many IT organizations struggle to reduce privileges for the user while still allowing them to work effectively," but this month's updates show why administrators should lock down privileges where possible, Goettl said.

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source.
Follow me on Twitter: zdfyrashid
More »